Thursday, September 04, 2014

Vuln bounties are now the norm

When you get sued for a cybersecurity breach (such as in the recent Home Depot case), one of the questions will be "did you follow industry norms?". Your opposition will hire expert witnesses like me to say "no, they didn't".

One of those norms you fail at is "Do you have a vuln bounty program?". These are programs that pay hackers to research and disclose vulnerabilities (bugs) in their products/services. Such bounty programs have proven their worth at companies like Google and Mozilla, and have spread through the industry. The experts in our industry agree: due-diligence in cybersecurity means that you give others an incentive to find and disclose vulnerabilities. Contrariwise, anti-diligence is threatening, suing, and prosecuting hackers for disclosing your vulnerabilities.

There are now two great bounty-as-a-service*** companies "HackerOne" and "BugCrowd" that will help you run such a program. I don't know how much it costs, but looking at their long customer lists, I assume it's not too much.

I point this out because a lot of Internet companies have either announced their own programs, or signed onto the above two services, such as the recent announcement by Twitter. All us experts think it's a great idea and that the tradeoffs are minor. I mean, a lot of us understand tradeoffs, such as why HTTPS is difficult for your website -- we don't see important tradeoffs for vuln bounties. It is now valid to describe this as a "norm" for cybersecurity.

*** Hacker1 isn't a "bounty-as-a-service" company but a "vuln coordination". However, all the high-profile customers they highlight offer bounties, so it comes out to much the same thing. They might not handle the bounties directly, but they are certainly helping the bounty process.

Update: One important tradeoff is that is that such bounty programs attract a lot of noise from idiots, such as "your website doesn't use SSL, now gimme my bounty" [from @beauwoods]. Therefore, even if you have no vulnerabilities, there is some cost to such programs. That's why BugCrowd and Hacker1 are useful: they can more efficiently sift through the noise than your own organization. However, this highlights a problem in your organization: if you don't have the expertise to filter through such noise (and many organizations don't), then you don't have the expertise to run a bug bounty program. However, this also means you aren't in a position to be trusted.

Update: Another cost [from @JardineSoftware] is that by encouraging people to test your site, you'll increase the number of false-positives on your IDS. It'll be harder now to distinguish testers from attackers. That's not a concern: the real issue is that you spend far too much time looking at inbound attacks already and not enough at successful outbound exfiltration of data. If encouraging testers doubles the number of IDS alerts, then that's a good thing not a bad thing.

Update: You want to learn about cybersecurity? Then just read what's in/out of scope for the Yahoo! bounty: https://hackerone.com/yahoo